diff --git a/changelog/16594.txt b/changelog/16594.txt new file mode 100644 index 0000000000000..3aae9645f08fa --- /dev/null +++ b/changelog/16594.txt @@ -0,0 +1,5 @@ +```release-note:improvement +auth/kerberos: add `remove_instance_name` parameter to the login CLI and the +Kerberos config in Vault. This removes any instance names found in the keytab +service principal name. +``` diff --git a/go.mod b/go.mod index e1705feff89cc..ffe71e202d777 100644 --- a/go.mod +++ b/go.mod @@ -100,7 +100,7 @@ require ( github.com/hashicorp/vault-plugin-auth-cf v0.12.0 github.com/hashicorp/vault-plugin-auth-gcp v0.13.2 github.com/hashicorp/vault-plugin-auth-jwt v0.13.0 - github.com/hashicorp/vault-plugin-auth-kerberos v0.7.0 + github.com/hashicorp/vault-plugin-auth-kerberos v0.7.1 github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0 github.com/hashicorp/vault-plugin-auth-oci v0.11.0 github.com/hashicorp/vault-plugin-database-couchbase v0.7.0 diff --git a/go.sum b/go.sum index 00d1a0a50d0a6..a3973ce2e4aad 100644 --- a/go.sum +++ b/go.sum @@ -980,8 +980,8 @@ github.com/hashicorp/vault-plugin-auth-gcp v0.13.2 h1:rv8gBKYzFz9BD9pFRyrmfi46Bu github.com/hashicorp/vault-plugin-auth-gcp v0.13.2/go.mod h1:tHtTF/qQmrRrY5DEOxWxoW/y5Wk9VoHsBOC339RO3d8= github.com/hashicorp/vault-plugin-auth-jwt v0.13.0 h1:BeMC4ZnP8iwRgL8vInEvCICA6e+iiDtkmOdNYKg3aGQ= github.com/hashicorp/vault-plugin-auth-jwt v0.13.0/go.mod h1:+WL5kaq/0L5OROsA31X15U8yTIX4GTEv1rTLA9d15eo= -github.com/hashicorp/vault-plugin-auth-kerberos v0.7.0 h1:6iQIiF4usqBwXZmab3rpq/dMIw+np+DFbIBxC3r6Ybw= -github.com/hashicorp/vault-plugin-auth-kerberos v0.7.0/go.mod h1:eqjae8tMBpAWgJNk1NjV/vtJYXQRZnYudUkBFowz3bY= +github.com/hashicorp/vault-plugin-auth-kerberos v0.7.1 h1:H4MmfNqpxpa4vHMdfckx9KzEEPC+9+APHpDF1pBy61g= +github.com/hashicorp/vault-plugin-auth-kerberos v0.7.1/go.mod h1:eqjae8tMBpAWgJNk1NjV/vtJYXQRZnYudUkBFowz3bY= github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0 h1:pONFgWz9hbcS1wFxPtQJYj9Mt/nzPVX1kw1DGv+92Ww= github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0/go.mod h1:/hQF30guXWLcIUiTYsXoQ0dUTHspo0q30nLBr1RE+Lw= github.com/hashicorp/vault-plugin-auth-oci v0.11.0 h1:DrdccnGU8O28I1MIs21zmbYM2Nta7RLOAzozvDSX9h0= diff --git a/website/content/api-docs/auth/kerberos.mdx b/website/content/api-docs/auth/kerberos.mdx index 21a3023b0fb2d..e29bd609ce3eb 100644 --- a/website/content/api-docs/auth/kerberos.mdx +++ b/website/content/api-docs/auth/kerberos.mdx @@ -35,6 +35,10 @@ for verifying inbound SPNEGO tokens. - `service_account` `(string: )` – The service account associated with both the keytab entry and an LDAP service account created for Vault. Ex.: `"vault_svc"`. +- `remove_instance_name` - Removes any instance names from a Kerberos service + principal name when parsing the keytab file. For example when this is set to true, + if a keytab has the service principal name `foo/localhost@example.com`, Vault + will strip the service principal name to just be `foo@example.com`. ### Sample Request @@ -51,7 +55,8 @@ $ curl \ ```json { "keytab": "BQIAAAA6AAEACk1BVFJJWC5MQU4ACXZhdWx0X3N2YwAAAAFdzZSjAgAXABDwhEyRR9nRqkpP8KTn2A83AAAAAg==", - "service_account": "vault_svc" + "remove_instance_name": false, + "service_account": "vault_svc", } ``` @@ -80,6 +85,7 @@ $ curl \ "warnings": null, "wrap_info": null, "data": { + "remove_instance_name": false, "service_account": "vault_svc" }, "lease_duration": 0, diff --git a/website/content/docs/auth/kerberos.mdx b/website/content/docs/auth/kerberos.mdx index 9b257996c15b0..cce144554f429 100644 --- a/website/content/docs/auth/kerberos.mdx +++ b/website/content/docs/auth/kerberos.mdx @@ -164,6 +164,10 @@ $ vault login -method=kerberos \ It includes a mechanism for tunneling pre-authentication exchanges using armoured KDC messages. FAST provides increased resistance to passive password guessing attacks. Some common Kerberos implementations do not support FAST negotiation. +- `remove_instance_name` removes any instance names from a Kerberos service + principal name when parsing the keytab file. For example when this is set to true, + if a keytab has the service principal name `foo/localhost@example.com`, the CLI + will strip the service principal name to just be `foo@example.com`. ## Troubleshooting